CYBERSHEATH BLOG

Lia Konieczny

Recent Posts

If you were a bank robber, you would target the largest bank around in order to secure the biggest prize possible in exchange for the risk associated with committing the crime, right? The same is true for cyber criminals. They specifically target organizations within industries that provide the most return for their crime. These unseen criminals, though they are not stealing physical cash, are stealing your personal information that can grant them access to more than just what is in your bank account. The prime targeted industries are those that house customer information in some form or another, examples would be banks, healthcare providers, and retailers, among others. Thankfully, our everyday institutions are fortifying their security against these cyber thieves by employing software solutions such as RSA Archer to aid in the prevention of theft of customer data and fraud from ever occurring in the first place by tracking threat behavior and analyzing patterns of risk.

Thanksgiving Day is almost here and with it, our focus turns to our family, friends, food, and most importantly, football. As we celebrate one of our country’s most cherished traditions, we give thanks to health, wealth, good company, and of course, turkeys. However, this holiday season, we should recognize our nation’s involvement in cybersecurity and how much we’ve grown with it! Whether it be booking your flight home online, posting a picture of your Thanksgiving feast to Instagram or Facebook, streaming the big game, or FaceTiming your relatives that can’t be there in person, being online is a huge part of this and every day. I’d like to take a moment to share with you some news within our industry that we should be thankful for this year.

As most of you know, October heralds a variety of festive autumn events such as the epic return of the pumpkin spice everything, Halloween, and the beautiful transition of fall foliage. October also happens to be National Cyber Security Awareness Month, which provides us an opportunity to shed light on every day dangers that we face in our vastly connected world. In addition to things that go bump in the night and the occasional monster in our closet, we face constant threat to our online security in both our corporate and home atmospheres. Below are some tips (not tricks, we promise!), that we hope, will help make accessing the internet a little less frightening.

Recently, a congressional investigation conducted by the U.S. House of Representatives’ Committee on Oversight and Government Reform reported that the two major data breaches suffered by the U.S. Office of Personnel Management (OPM) in 2014 and 2015 were indeed preventable and in fact, made worse by lax security regulations and ineffective management. The OPM is an organization that manages aspects of federal employment, such as background checks, for most government agencies. These massive attacks resulted in the compromise of sensitive data belonging to more than 22 million people.

Wouldn’t it be great if there were an “easy” button for developing your organization’s governance, risk, and compliance departments? There are several aspects to consider when building out each sector, such as, what kind of control assessments should we have and how often? What kind of approval chain should our policy documents be following? How should we conduct our business impact analyses? Where should we house our asset inventory? How do we tie all of these aspects together? Why is GRC even important?

You may have heard all the buzz about Pokémon Go, Nintendo’s latest generation of games developed after the popular animated show from the 90’s, created as a mobile phone app. In people’s haste to download and install the latest and greatest, users are also falling victim to additional malicious apps disguised as tutorials or alternate versions of the game. As the app is only officially offered in the US, New Zealand, UK, and Australia, users in other countries are passing around Android Package Kit (APK) files in attempt to play the game as well. However, users are required to “sideload” the app in order to download the APK which modifies their core Android security settings and allows their device to install applications from untrusted third party sources.

The financial industry is beginning to recognize that cybersecurity is no longer a part of the information technology department but has greater importance throughout the entire business workflow. As the growing complexity of cyber threats continues to pose serious risks for financial institutions, robust compliance and risk management platforms have become increasingly crucial to the protection of assets. While malware such as worms and viruses still pose an everyday threat to organizations, attacks that compromise Internet-of-Things (IoT) devices and ransomware are considerably larger dangers to critical data and processes.

According to a recent report conducted by PhishMe, 93 percent of all phishing attacks contained encryption ransomware, up 56 percent from December of 2015. This heightened growth can be attributed to the ease of sending ransomware via phishing emails that contain job applicant, billing, shipping, and invoice-related messages with seemingly harmless attachments.

In the ever evolving world of cyber security, one component remains both dynamic and widespread, risk itself. The flu virus, much like risk itself, is ever mutating and adapting to new environments and we as human beings are consistently trying to defend ourselves against it by getting our flu shot every year, washing our hands frequently, and trying the latest new prevention trends like Emergen-C and clean eating. Yet despite some of our best efforts, we often become infected with this virus year after year. Similarly, many organizations putting their faith in the “latest and greatest” next-generation firewall or anti-malware software, their margin of risk is only slightly narrowed – why? As defense technologies perpetually adapt to new environments, attackers are doing the exact same thing with their arsenal. Just because we got our flu shot and maintained good hygiene, we were still impacted by the virus. Organizations face attacks on a daily basis no matter what method of prevention they employ.

Note: This is the first in a series of blog posts in which CyberSheath GRC consultants specifically describe how the RSA Archer GRC Solution can assist with the adoption of the Critical Security Controls for Effective Cyber Defense. Each post of this series will focus on one of the 20 Critical Security Controls.

CyberSheath has worked with countless customers who are just beginning their GRC journey. As security consultants first, the initial steps we take when building out GRC efforts for any organization align with the Critical Security Controls for Effective Cyber Defense. These controls, formerly known as the SANS 20 Critical Security Controls, focus on prioritizing actionable and pragmatic security functions that are effective against advanced attacks.

20 Critical Security Controls

Control 1: Inventory of Authorized and Unauthorized Devices

The first Critical Control, Inventory of Authorized and Unauthorized Devices, tells us that organizations should “Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.” To accomplish this, companies need to maintain an asset inventory of all systems connected to the network, preferably deploying an automated asset inventory system to gather the data. The idea behind this control is that we can’t protect what we don’t know we have and therefore, having an accurate asset inventory is always the first step in both mature security and GRC projects.